Debugging MBRLockers on Windows

Ever met MBRLockers? Yes, those nasty pieces of malware which replace your Master Boot Record with malicious code and ransom you. Good news here, most of them just backup your original MBR somewhere and put one asking for ransom in its place. Today I’m going to tell you how to debug these things easily for ehmm, scientific purposes.

Simple MBR Locker

Simple MBR Locker

What you need to debug MBR

Bochs x86 PC Emulator – basically a virtual machine that supports stepping through code at boot time.
HxD – a freeware hex-editor.

Preparing the emulator

First of all you need to prepare a disk image for Bochs. You can do so by going to installation directory and running bximage. All the default settings will do.

Making disk image for Bochs

Making disk image for Bochs

Notice that a part of configuration was copied into your clipboard and a file c.img should have appeared in the Bochs directory. You can put it anywhere you like or just run everything from this directory.

Also notice how a configuration file was mentioned. Go and make one, call it bochsrc. Put the following text in it:

display_library: win32, options="gui_debug"
romimage: file=$BXSHARE/BIOS-bochs-latest
vgaromimage: file=$BXSHARE/VGABIOS-lgpl-latest
megs: 16
ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14
ata0-master: type=disk, path="c.img", mode=flat, cylinders=20, heads=16, spt=63
boot: disk

If you made any changes to the default settings when creating a disk image, you need to replace line 6 with contents of your clipboard now.

Preparing the Master Boot Record

At this point you have a disk image for the virtual machine, but it does not contain the malicious MBR to debug. You can access your current MBR as well as the MBR inside the image through HxD’s Extras menu as shown below.

HxD

HxD

For your current MBR, choose Open disk->Physical Disks->Hard Disk 1. For the Bochs disk image, choose Open disk image. Now you just simply copy and paste the MBR you need into the beginning of the disk image. Remember, the MBR has to be exactly 512 bytes long and end with 0x55AA. Save the changes by pressing Ctrl+S.

Debugging with Bochs

Fire up the command prompt by pressing WinKey+R and cd to the directory where you’ve saved the configuration file and the disk image. If this directory is not the Bochs installation directory, don’t forget to execute

set path=%path%;C:\path\to\bochs\folder

Now you are ready to start debugging. Execute the following to start Bochs Enhanced Debugger:

bochsdbg -q -f bochsrc

If everything goes without a hitch, you should be presented with 3 windows: Console, Display and the Debugger paused at the very first instruction of Bochs BIOS. At the very bottom you can enter lb 0x7c00 to set a breakpoint on the MBR and press Continue. You will see stuff happening in the Display window and end up with the debugger paused at the Master Boot Record.

Bochs Debugger

Bochs Debugger

From here you should already have an idea on how to continue: you’ve just set a breakpoint and continued execution. To step instructions, you can either press Step or enter s in the console at the bottom of the Debugger window. You can display the stack on the right by pressing F2, or any location in memory by pressing F7. The registers are on the left and the code is in the middle. You can see CPU information and flag states in the status bar.

For more information on using Bochs debugger, visit this page.